Outsourcing crime: How Ransomware-as-a-Service works

The average person generally imagines cyber crime to be associated with stealing, whether that involves the theft of money or information the criminal can sell for a profit. While these threats are certainly a major issue people need to concern themselves with, theft is by no means the only ways hackers make money off of their victims.

Digital extortion has been ramping up recently, as cyber criminals have begun to realize that people value their data just as much as they do their physical belongings. The biggest singular scam here is ransomware, or software that encrypts the files contained on a computer or network and demands the victim pay a price in order to regain access to them.

Actually creating these forms of malware takes an intense amount of knowledge that the average person simply doesn't have. However, a recent development within the online criminal underworld is allowing malicious individuals to gain access to ransomware regardless of their programming skills.

This trend is called Ransomware-as-a-Service, and as the name implies, this involves talented coders selling ransomware to less knowledgeable individuals.This is allowing quite literally anyone with the ability to scour Dark Web marketplaces the opportunity to exploit helpless victims, thereby extending the reach of this form of malware.

Stampado lets anyone become a cyber criminal

Trend Micro researchers have been following RaaS for some time now, and have discovered some pretty interesting developments within the trend. The most recent ransomware variant being sold to various criminals has been dubbed "Stampado." This particular form of the malware works very much like Jigsaw, which deleted files after certain periods of time in order to receive a faster payment.

However, Jigsaw's creation was much more advanced than Stampado's. This new malware relies on AutoIT, which Trend Micro researchers can quite easily decrypt in order to examine it further. That said, there are two reasons for this ease of decryption.

First and foremost, the price tag is incredibly low. Stampado's vendor is currently selling the ransomware for $39 for a "lifetime license." While our security experts have seen similar strains of Russian malware sell for as low as $10 inn 2012, $39 is still not a lot of money to pay considering the average ransomware demand is a few hundred dollars. The reason the seller can keep this price so low is the fact that they very often get a percentage of any profits made by the buyer.

The other reason for this low level of encryption has to do with the accelerated timeline Stampado demands out of its victims. Jigsaw gave users a full day to pay the fee before it started deleting files, while Stampado only gives them 6 hours. On top of that, Jigsaw also allowed for 96 hours to pass before it deleted all of the data on a system, and Stampado does this after 72 hours. This gives victims less time to figure out what they're dealing with, thereby scaring them into shilling out the money in order to save what information hasn't been deleted.

Email is the main attack vector

With this rise in RaaS threats, it's important to know what kinds of systems facilitate these attacks. Although ransomware can infect a system by the victim visiting a sketchy website, by far the most successful tactic is sending the malware as an attachment within an email. Trend Micro researchers have noticed that email is a favorite among hackers for distributing ransomware attacks, and for good reason.

Regardless of if the scheme is levied against private individuals or employees of a company, the reality of the situation is that people make mistakes. Human error is infinitely easier to exploit than cyber security software, which is why hackers very often rely on phishing emails in the hopes that an unfortunate person will click a link from a less-than-reputable source. In fact, a report from PhishMe found that just over 90 percent of phishing scams relied on a ransomware attachment within the message.

Sadly, despite the fact that phishing is an incredibly well-known attack technique, very few people are ready for it. Social-Engineer CEO Chris Hadnagy has stated that 93 percent of companies in the U.S. have no form of phishing training for their employees. This opens organizations up to a huge amount of risk, and makes life incredibly easy for hackers.

RaaS opens companies up to insider threats

Aside from outside attackers encrypting files through email attacks, businesses also need to worry about insiders distributing ransomware. Security Week reported that the major threat here lies in the amount knowledge these employees have about the systems that they would be attacking.

A hacker operating outside of a company would simply attempt to gain access to the computer of any employee, generally through a spear phishing attack. However, the downside to this is that these schemes can be mitigated if the IT department is knowledgeable enough and is able to act quickly in order to segregate the infected computer from the network.

With an insider attack, on the other hand, malicious actors are able to directly infect vitally important equipment, as their knowledge of the company's data structure lets them know exactly where to strike. What's more, RaaS can help these individuals facilitate their attack by giving them access to malware that they wouldn't have otherwise been able to create. If this person were to play their cards right and demand an untraceable bitcoin payment, there's a good chance they could make a decent amount of money off of such a venture.

Companies and individuals alike need to be prepared

Clearly, the ability to buy ransomware for incredibly cheap prices means that quite literally anyone can become a "hacker." Criminals don't even have to know how to code ransomware in order to levy it against unsuspecting victims. Therefore, both companies and private individuals need to take precautions in order to prevent an infection of their equipment.

The first step for both of these groups is to begin education on how ransomware is distributed. Modern phishing emails have become incredibly advanced, and very often are difficult to spot. Hackers will use official-looking company logos and terse language in order to trick people into clicking an attachment. If you ever receive an email with such a link, you should first ensure that it will be taking you to the site that the message says. This can often be done by hovering over the link and checking the URL.

Companies can help to mitigate the risk of an inside job by being mindful of the data map the organization has created over the years. Often, data sprawl can lead to IT workers losing track of where important information is stored, which is a major security risk. Determining where all the important files lie can help ensure the safety of vital company data.

Finally, and perhaps most importantly, every business and private individual needs to invest in a robust data backup routine. While these services don't technically stop a ransomware infection from occurring, they do allow the victim to simply wipe the compromised machine without having to start from scratch. Doing so might affect productivity and will certainly be annoying, but it's infinitely better than losing every scrap of information or even having to pay the criminal.